int pcap_dispatch(pcap_t *p, int cnt, pcap_handler callback, u_char *user)
I understand that pcap_dispatch calls the callback routine upon receiving a packet and the first argument passed on to the callback routine is the last argument to the pcap_dipatch function. So what about the remaining two arguments of the callback routine. where does the pcap_dispatch get the other arguments to be passed on?
I'm not entirely sure I understand what you're asking, but I think I might to be able to cover it.
Firstly, a dispatch handler is just a function matching this signature:
void packethandler( u_char *args, const struct pcap_pkthdr* pkthdr,
const u_char* packet )
The arguments there are, from right to left, the packet libpcap has extracted from the network interface, the pcap format packet header and the arguments to the packet handler.
I imagine if anything, the first argument is possibly causing you a problem. If you need to pass multiple arguments, you can do this - it's just not quite what you'd expect. Rather than use va_args, if you want to pass multiple arguments you can simply define a struct. Assuming typedef struct { ... } myparams; you can then pass:
(u_char*) myparamstruct
as a parameter and inside your handler do:
myparams* params = (myparams*) args;
This works because you're passing pointers, not data. The type for pointers simply describes the underlying, dereferenced location type (a way of interpreting the data), not the actual value of the pointer - as all pointers are equally wide (for the purposes of this, anyway).
So that might cover getting those arguments in. As for the remaining two arguments, as I said before, these are what libpcap has captured from the specified network interface. Essentially, every time a packet is successfully extracted your handler is called by means of a function pointer, with the packet details encoded in those arguments and passing through the user-supplied argument pointer.
The other two arguments come from the packet that was just captured (if you used pcap_open_live() or pcap_create()/pcap_activate() to open the pcap_t) or read from the capture file (if you used pcap_open_offline() to open the pcap_t) - pkthdr is a structure containing the time stamp for the packet, the length of the packet as it appeared on the network, and the length of the packet after it was cut short by the snapshot length, and packet is the raw packet data.